Datto EDR Integrations

ALERT LEGACY ARTICLE: The content in this article is no longer updated and is available for reference purposes only. Features and workflows described may be deprecated, significantly changed, or no longer supported.

Environment

Datto EDR

Description

Integrations provide the main mechanism for external alert handling. Integrations are found within the Admin Panel. By default alerts can be pointed at a Syslog Server or SIEM that can handle Common Event Format (CEF) alerts sent via Syslog. Native integrations also exist for outputting analyzed data to Splunk and Elastic log managers.

Syslog / SIEM

Allows some or all alerts to be sent to your Syslog tools.

Splunk

Allows some or all alerts to be sent to SPLUNK for additional actions.

Datto EDR provides an app available on Splunkbase. The app will generate an index and HTTP Event Collector token that you must enable manually.

Download app from Splunkbase.
In Splunk, go to Settings→Data Inputs→HTTP Event Collector.
Click Global Settings to enable all event collectors.
Take note of the port to send the data to.
Take note of the token value.
Go to Datto EDR.
Go to the Account→ Admin→Integrations.
Click on Splunk→ Add Splunk integration.
Add the URL for Splunk, port (default 8088), and token.
Configure the data you want to be sent to Splunk.
Run a scan on a box to test the data is being sent to Splunk.
Check the Datto EDR dashboard.

Elastic: Allows some or all alerts to be sent to SPLUNK for additional actions.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.